Return-Path: Delivered-To: apmail-shiro-dev-archive@www.apache.org Received: (qmail 25083 invoked from network); 6 Dec 2010 17:29:45 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 6 Dec 2010 17:29:45 -0000 Received: (qmail 15099 invoked by uid 500); 6 Dec 2010 17:29:45 -0000 Delivered-To: apmail-shiro-dev-archive@shiro.apache.org Received: (qmail 14642 invoked by uid 500); 6 Dec 2010 17:29:44 -0000 Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@shiro.apache.org Delivered-To: mailing list dev@shiro.apache.org Received: (qmail 14437 invoked by uid 99); 6 Dec 2010 17:29:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Dec 2010 17:29:44 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of kalle.o.korhonen@gmail.com designates 209.85.213.45 as permitted sender) Received: from [209.85.213.45] (HELO mail-yw0-f45.google.com) (209.85.213.45) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Dec 2010 17:29:38 +0000 Received: by ywi4 with SMTP id 4so216610ywi.32 for ; Mon, 06 Dec 2010 09:29:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=c6Xk8IA9R3EiGsijrPWoMeI8BBffu5q5LZmRAzTo2qk=; b=dHbDrnqFL8fn07hwcNuBc/n2V2G7sFfDEwUnMcCY6MOiPOkv4mpJ00A2iRtmDhfJSZ TNdqUICB8ikp833AbzReiyXHugToD015rOYIll29F43rJT1eZ51slc3QdJQFJkZfFA+h egASgDAQfEJc5hzDvhU5n2XlI92WU6ypnSmGc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=JjCV5JClYt75EtsVCIbDNGal3JT/PGl/+xdz9nl4NqM7RFRdWvmxJNbLqTIr+HLh5i Szn+cOQjxNXvvvLy7wGffQWvsYqDqThGM+yXspHBExryk41FQXUX5tv0p7Tuw00RQrmR UqKWsw+EqhROCC3igHIwyzirMXMrG6ItJH/tE= MIME-Version: 1.0 Received: by 10.223.112.16 with SMTP id u16mr182073fap.113.1291656556597; Mon, 06 Dec 2010 09:29:16 -0800 (PST) Received: by 10.204.80.131 with HTTP; Mon, 6 Dec 2010 09:29:16 -0800 (PST) Date: Mon, 6 Dec 2010 09:29:16 -0800 Message-ID: Subject: @RequiresAssociation From: Kalle Korhonen To: dev@shiro.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org In my projects, I repeatedly find a need to express a permission rule for allowing the currently executing subject to access or modify an instance of a persistent type when the subject is in some way associated to the said instance. For example, a user should only be allowed update his own profile. I had implemented this association/instance based security concept for Trails framework (see http://trails.codehaus.org/Security+module) earlier and now, I'd like to be able to do the same for tapestry-security (http://tynamo.org/tapestry-security+guide). With the more flexible @RequiresPermissions you could theoretically implement much more complex association-based permission rules but in practice I've found that the security rules based on primary type's association to the executing subject solves at least 80% of the use cases, which could be expressed with a more specialized and simpler-to-use @RequiresAssociation annotation. I could simply implement @RequiresAssociation for tapestry-security only, but I would assume that it would be equally useful for Wicket and Grails and especially for any framework using Hibernate/JPA persistence because add-on security rules are easy to express with the criteria API. @RequiresAssociation could live in Shiro and have bare bones support for it similar to @RequiresPermissions. Shiro-based security libraries could then make more complete integrations with their favorite web framework, utilizing the same annotation. Would other Shiro devs and community find this useful and reasonable and worth implementing in the Shiro core itself? Kalle